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Abstract 

We consider a type of zero-knowledge protocols that are of interest for their practical applications within net- 
works like the Internet: efficient zero-knowledge arguments of knowledge that remain secure against concurrent 
man-in-the-middle attacks. As negative results in the area of concurrent non-malleable zero-knowledge imply 
lyj , that protocols in the standard setting (i.e., under no setup assumptions) can only be given for trivial languages, 

researchers have studied such protocols in models with setup assumptions, such as the common reference string 
(CRS) model. This model assumes that a reference string is honestly created at the beginning of all interactions 
and later available to all parties (an assumption that is satisfied, for instance, in the presence of a trusted party). 
, A growing area of research in Cryptography is that of reducing the setup assumptions under which certain 

J^!^ ' cryptographic protocols can be realized. In an effort to reduce the setup assumptions required for efficient zero- 

, knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks, we con- 

Q>^ ' sider a model, which we call the Authenticated Public-Key (APK) model. The APK model seems to significantly 

, reduce the setup assumptions made by the CRS model (as no trusted party or honest execution of a centralized 

algorithm are required), and can be seen as a slightly stronger variation of the Bare Public-Key (BPK) model 
from 1^8, ^30 1, and a weaker variation of the registered public -key model used in We then define and study 
■ man-in-the-middle attacks in the APK model. Our main result is a constant-round concurrent non-malleable 

zero-knowledge argument of knowledge for any polynomial-time relation (associated to a language in AfV), 
under the (minimal) assumption of the existence of a one-way function family. We also show time-efficient 
k> ] instantiations of our protocol, in which the transformation from a 3-round honest-verifier zero-knowledge ar- 

^ • gument of knowledge to a 4-round concurrently non-malleable zero-knowledge argument of knowledge for the 

5^ \ same relation incurs only 0(1) (precisely, a small constant) additional modular exponentiations, based on known 

number-theoretic assumptions. Furthermore, the APK model is motivated by the consideration of some man-in- 
the-middle attacks in models with setup assumptions that had not been considered previously and might be of 
independent interest. 

We also note a negative result with respect to further reducing the setup assumptions of our protocol to those 
in the (unauthentic ated) BPK model, by showing that concurrently non-malleable zero-knowledge arguments of 
knowledge in the BPK model are only possible for trivial languages. 

Keywords: Zero-Knowledge Protocols, Concurrently Non-Malleability, Public-Key Models 

1 Introduction 

Zero-knowledge protocols, first introduced in fl^, have received a significant amount of attention from the research 
community because of their useful applications to several cryptographic protocols in a variety of settings. As such 
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protocols are often deployed in distributed and asynchronous networks like the Internet, the research on these 
protocols is moving towards extending the security properties of (stand-alone) zero-knowledge protocols to models 
with multiple parties, asynchronous message delivery, and adversarial modification to exchanged messages. 

In particular, the notion of concurrent zero-knowledge, first studied by [18|, extends the zero-knowledge se- 
curity notion to the case where multiple concurrent executions of the same protocol take place and a malicious 
adversary may control the scheduling of the messages and corrupt multiple provers or verifiers in order to vio- 
late the soundness or zero-knowledge properties (respectively). Unfortunately, concurrent zero-knowledge with 
black-box simulation requires a logarithmic number of rounds for languages outside BW (9| and therefore their 
round-complexity is not efficient. In the Common Reference String model, in 1 1 1 1 it is showed that 3-round and 
time-efficient concurrent zero knowledge can be achieved. Surprisingly, using non-black-box techniques, Barak [JJ 
constructed a constant round non-black-box bounded concurrent zero knowledge protocol whose time-complexity 
however is not efficient. 

The concept of non-malleable zero knowledge was put forward in fYT\. The issue of malleability arises in the 
so-called man-in-the-middle setting, in which the adversary plays the role of the verifier in several proofs (left inter- 
actions) and at the same time acts as the prover in some other proofs (right interactions), having full control over the 
scheduling of the messages between parties. The serious problem in such scenario is that the information obtained 
from left interactions may help the adversary to cheat the verifier in one of the right interactions (malleability). A 
zero-knowledge protocol is considered non-malleable if it is immune against such problem. In 1 17 1, the authors give 
a 0(logn)-round non-malleable concurrent zero-knowledge protocol in which the adversary interacts with only 
one prover. Achieving non-malleability non-interactively in the common random string model was studied in fT2l 
and |37|. In [T], a constant-round coin-tossing protocol assuming the existence of hash functions that are collision- 
resistant against subexponential-time adversaries was presented, which can be used to transform non-malleable 
non-interactive zero-knowledge in the shared random string model into interactive non-malleable zero-knowledge 
in the plain model. A new constant-round non-malleable ZK with minimum assumptions was present in l34ll . but 
it failed to be extended to the concurrent model. Note that in [2] and |34| non-black-box techniques were used, 
and thus the resulting protocols are very inefficient. As showed in |29|, it is impossible to achieve concurrent 
non-malleability without set-up assumption. Several works on this issue show the feasibility to achieve concur- 
rent non-malleability efficiently in the common reference string model. In l20ll Garay et al. defined the so-called 
rj-protocol, a variant of S-protocol with straight line extractor, and then they show a technique to transform the 
-protocol to a concurrently non-malleable ZK protocol. Gennaro 1 2 1 1 introduced multi-trapdoor commitments 
and presented a very efficient ZK protocol enjoying concurrent non-malleability. 

A growing area of research in Cryptography is that of reducing the setup assumptions under which certain 
cryptographic protocols can be realized. In an effort to reduce the setup assumptions required for efficient zero- 
knowledge arguments of knowledge that remain secure against concurrent man-in-the-middle attacks, we study 
the concurrent non-malleability in a weak model with very relaxed set-up assumption, the Bare Public-Key (BPK) 
model of 0. Comparing with some previous model such as common reference string model and the preprocessing 
model considered, for instance, in fTT], this model seems to significantly reduce the set-up assumptions: It just 
assumes that each verifier deposits a public key pk in a public file before any interaction with the prover begins, 
with no need of trusted parties. Since its introduction, many papers focusing on resettable zero knowledge in this 
model appeared in recent years, but they do not address man-in-the-middle attacks. More specifically, we consider 
a new variation of this model, which we call the Authenticated Public-Key (APK) model. The APK model is a 
stronger variation of the BPK model from |l8l|30J, and can also be seen as a weaker variation of the registered 
public-key (RPK) model used in O, and still seems to significantly reduce the setup assumptions made by the 
RPK or CRS models (as no trusted party or honest execution of a centralized algorithm are required; see detailed 
discussion in Section|2li. 

Our results. In this paper we study the concurrent non-malleability in the APK model and in BPK model, our 
results are: 
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concurrently non-malleability ZK in APK model based on one-way functions. This is our main result. In 
particular, we construct a 5-round concurrently non-malleable zero-knowledge argument of knowledge for any 
polynomial-time relation (associated to an MV language), under the (minimal) assumption of the existence of a 
one-way function family. 

round-optimal and time-efficient instantiations in APK model based on specific number-theoretic assumptions. 
We also show two efficient instantiations of our protocol, in which the transformation from a 3-round honest- 
verifier zero-knowledge argument of knowledge to a 4-round concurrently non-malleable zero-knowledge argument 
of knowledge incurs only 0{l) (a small constant) additional modular exponentiations, based on known number- 
theoretic assumptions. 

Negative results in BPK model. We note a negative result with respect to further reducing the setup assump- 
tions of our protocol to the BPK model, by showing that concurrently non-malleable zero-knowledge arguments of 
knowledge in the (unauthenticated) BPK model are only possible for trivial languages. This shows that the setup 
assumption behind our main result is essentially optimal. 

Our study of the APK model is also partially motivated by the consideration of some man-in-the-middle attacks 
in models with setup assumptions that had apparently not been considered previously and might be of independent 
interest. Specifically, we allow a man-in-the-middle to modify not only the communication between two parties (i.e., 
a prover and a verifier), but also between a party (prover or verifier) and the site of the common setup information, 
being this a public file with several public keys, a common reference string, etc. (as access to common setup 
information is itself realized as a communication exchange between the party and the setup information's site). 

Comparison with the recent work I'SS). Very recently, Ostrovsky, Persiano, Visconti introduced the notion of con- 
current non-malleable witness indistinguishability and implemented a concurrently non-malleable zero knowledge 
protocol and realized ZK argument of knowledge under general concurrent composition in BPK model. This seems 
to contradict our impossibility results. However, we argue that the term "BPK" in their paper is actually identical 
to ours "APK" model: We make the same requirement on BPK model that once the public file is published, the 
whole file can not be modified by adversary. We think such requirement must involve in authenticated channel in 
the man-in-the-middle setting if we allow adversaries to control all communication that takes place in the proof 
stage (including the prover's access to the public file) as considered in this paper. This is the only reason we call 
the new model "APK" model. 

Ignoring the above artificial difference, we note that, compared to OPV's construction for concurrently non- 
malleable ZK argument. Our construction is far more efficient because we use only black-box technique, and is 
based on more general intractability assumption (existence of one-way functions). Furthermore, based on some 
specific number-theoretic assumptions. We can also instantiate our protocol very efficiently: the transformation 
from a 3-round honest-verifier zero-knowledge argument of knowledge to a 4-round (optimal) concurrently non- 
malleable zero-knowledge argument of knowledge for the same relation incurs only a small constant additional 
modular exponentiations. 

We also note that Ostrovsky et al. address more general issues, e.g., ZK under general concurrent composition, 
which we do not study here. 

2 Definitions 

In this section we define the authenticated public-key (APK) model for zero-knowledge protocols, and define con- 
currently non-malleable zero-knowledge arguments in this model. We also recall the background tools of commit- 
ment schemes, signature schemes and S-protocols, that will be used in our main construction. 
The APK Model. In [8|, the authors introduced the bare public -key (BPK) model for zero-knowledge protocols. 
Informally, in this model, protocols are defined in two stages: a preprocessing stage, in which all verifiers post a 
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public key on a public file; and a proof stage, in which provers and verifiers interact and have access to the previously 
created public file. The term 'bare' in the name of the model refers to the fact that, contrarily to other models, such 
as the public -key infrastructure model, no certification of the public keys is required. In this model, the authors 
(and several other papers) presented constant-round resettable zero-knowledge arguments for any language in MV, 
under appropriate complexity assumptions. In this paper we would like to construct zero-knowledge arguments of 
knowledge that remain so even under man-in-the-middle attacks. To this purpose, we consider a slightly stronger 
version of the BPK model, which we call the authenticated pubUc-key (APK) model. Briefly speaking, the APK 
model only augments the BPK model in that during the proof stage, the provers are guaranteed to have access 
to the same public file that was determined at the end of the preprocessing stage. This happens regardless of 
any adversarial activity such as man-in-the-middle attacks (in other words, adversaries in the middle between any 
prover and the public file's site are prevented to alter the prover's reading of this file). Formally, the authenticated 
public-key model (APK model) makes the following assumptions. 

1. There are two types of entities: provers and verifiers, and the entire interaction between them can be divided 
into two stages; the first stage is called preprocessing stage and only needs to be run by verifiers; at the 
end of the preprocessing stage, the proof stage starts, where any pair of prover and verifier can interact. All 
algorithms have access to a public file. Provers, verifiers and the public file are defined below. 

2. The public file, structured as a collection of records, is empty at the beginning and can be modified by the ver- 
ifiers during the preprocessing stage; the version of the public file F obtained at the end of the preprocessing 
stage will be used during the proof stage. 

3. An (honest) prover P is an interactive deterministic polynomial-time algorithm that operates in the proof 
stage, on input a security parameter 1", an n-bit string x S L, an auxiliary input w, a public file Fp and a 
random tape r^, where L is a language in J\fV. 

4. An (honest) verifier F is a pair of deterministic polynomial-time algorithms {Vi, V2), where Vi operates in 
the preprocessing stage and V2 operates in the proof stage. On input a security parameter 1" and a random 
tape r^i, Vi generates a key pair (pk, sk) and stores pk in the public file. On input pk, sk, an n-bit string 
X and a random tape ry2, the interactive algorithm V2 performs the interactive protocol with a prover, and 
outputs "accept x" or "reject x" at the end of this protocol. 

5. There is an authenticated channel between a prover and the public file site. Thus for any prover it holds that 
Fp = F. 

Remarks. The only difference between the above formal definition and the formal definition of the BPK model 
from ||8||30| is in item 5, which implies that the public file used by all provers cannot be different from the public 
file obtained at the end of the preprocessing phase. We note however that all previous papers in the BPK model 
(starting with [8 30 1) did not study man-in-the-middle attacks, but mostly focused on questions related to concurrent 
or resettable variants of soundness or zero-knowledge properties. When considering man-in-the-middle attacks, as 
we do in this paper, we need to consider adversaries that can control all communication that takes place in the proof 
stage (including the prover's access to the public file) and invoke many different provers in the left interactions 
(these provers are not aware of the existence of each other). Although not explicitly stated, a similar constraint on 
the public file has to implicitly hold for each verifier; specifically, first recall that verifiers are defined in two stages; 
then note that each verifier's proof stage activation uses the same public file (or, more precisely, the same pair 
{pk, sk)) generated by the same verifier's preprocessing stage activation. In other words, each verifier is already 
assumed to 'remember' (at least part of) the public file between the two stages in the BPK model, and the APK 
model could be realized by further assuming that also each prover is assumed to remember the (entire) public file 
between the two stages (thus obviously realizing authenticated access as access to private memory). 
Comparison with the RPK and CRS models. We note that the APK model can be seen as a weaker version of 
the RPK model, for registered public -key model from |T|, a stronger version of the BPK model, where all parties 
(i.e., both provers and verifiers) are required to post a public key and a trusted party needs to verify each party's 
knowledge of the associated secret key in the preprocessing stage. (To see that the RPK model is stronger than the 
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APK model, note that each party in the RPK model can keep state information, such as the content of the entire 
public file between the preprocessing stage and the proof stage, and therefore authenticated access to the public 
file is obviously guaranteed by a party accessing its own state information.) In the APK model, however, it is not 
required that the provers publish a public key and no trusted party is necessary in the preprocessing/registering stage. 
The model in |3| was used to study secure function evaluation protocols with universal composability properties, 
where the authors' goal was that of presenting such protocols under setup assumptions weaker than those in the 
common reference string model. Analogously, in this paper we present concurrently non-malleable arguments 
in the APK model, under setup assumptions weaker than those in the CRS model (although the goals addressed 
and techniques used are very different). We remind readers that if the man-in-the-middle adversary is allowed to 
control the honest party's access to the common random string, the CRS model also should assume an authenticated 
channel between all parties and the site where the common reference string is available (so that all parties have a 
secure access to the common reference string). 

Concurrently Non-Malleable Arguments of Knowledge in the APK Model. We start with some basic definitions 
and then define the requirements of completeness, concurrent zero-knowledge, extraction, and view simulatability. 

We say that function /(n) is negligible if for every polynomial q{n) there exists a positive integer no such that 
for all n > uq, it holds that f{n) < l/q{n). If L is a language in J\fV, we define the associated relation as the 
relation Rl = {{x,w)\x € L;w is a. witness for 'j; € L'}. Conversely, let Rbe a. relation. We define the domain 
of R as the language dom R = {x \ 3w such that {x, w) S R}. If i? is a polynomial-time relation (i.e., a relation 
for which there exists a polynomial-time algorithm deciding whether an input pair belongs to it), we define the 
associated language Lr as the domain of R. The definition of class J\fV implies that for every language L in J\fV, 
its associated relation Rl is polynomial-time. 

Completeness and Concurrent Zero-knowledge. The definition of completeness and concurrent zero-knowledge of 
argument systems in the APK model are immediate adaptations of the analogous definitions in the BPK model, 
which, in turn, are adaptations of the analogous definitions in the standard model. 

Definition 2.1 Let L be a language L in J\fV and let Rihe. its associated relation; also, let P and F be a prover 
and a verifier, respectively, in the APK model. 

We say that pair (P, V) satisfies the completeness requirement if, after public file F has been generated during 
the preprocessing phase, where F contains pair {pk, sk) generated by Vi, for all n-bit strings x G L and any w 
such that (x, w) S Rl, the probability that in the proof stage V interacting with P on input y, outputs "reject" is 
negligible in n. 

We say that pair (P, V) satisfies the concurrent (black-box) zero-knowledge requirement if there exists a prob- 
abilistic polynomial-time algorithm S such that for any probabilistic polynomial-time algorithm V*, for any poly- 
nomials s, t, for any Xi G L, the length of Xi is n, i = 1, s(n), V* runs in at most t{n) steps and the following 
two distributions are indistinguishable: 

1. the output of V* that firstly generates F with s(n) entries and interacts concurrently with instances of the 
honest prover: P{xi,Wi,pkj, F), I < i,j < s{n), where each instance uses an independent random string, 
Wi is a witness for Xi G L, and pkj is the j-th entry registered by V in F. 

2. the output of S with on input xi, ...Xs[n)- 

The adversary and its man-in-the-middle attacks in the APK model. Let s be a positive polynomial. The adversary 
we consider, called a man-in-the-middle in the APK model, and denoted as A, is a polynomial-time algorithm that 
can act both as a prover and as a verifier, both in the preprocessing stage and in the proof stage. Specifically, in 
the preprocessing stage, A can act as a verifier and register up to a polynomial number of public keys. In the proof 
stage, A can concurrently interact with provers in left interactions, where it plays the role of a verifier and uses a 
public key posted by A itself or by a (real) verifier; or A can interact with verifiers in right interactions, where it 
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plays the role of a prover. The total number of left and right sessions is at most s{n), where ra is a security parameter 
(also set to be equal to the length of the instances of the proved statements). 
More formally, .4's attack is executed as follows: 

• Preprocessing stage: A takes as inputs 1" and a random string r and registers a polynomial number of public 
keys (we denote this polynomial as t). All honest verifiers register their public keys (for the sake of simplicity 
of notation, we also assume the number of the honest verifier's public keys are at most t(n)). The public keys 
registered by A and all honest verifiers form a public file F. 

• Proof stage: A continues its execution by taking F as additional input, and may start a polynomial number 
of left interactions or right interactions (for the sake of simpUcity of notation, we assume that this number is 
at most ■s(n)). 

At any time during this stage A can do one of the following four actions: 

1) deliver to F a message for an already started right session; 2) deliver to P a message for an already started 
left session; 3) start a new left session, by choosing a new statement 'yj G L', a public key pkj from F 
(which was previously generated by either a honest verifier or even by A itself), and a prover P, and send 
a special message 'Start left session with inputs yj,pk-j' to P, who is given as additional input wi such that 
RL{yj,Wj) = 1 and has access to the (not modified) public file F; 4) start a new right session, by choosing 
a new statement 'xj G -L', a verifier V and a public key pki from F which was previously generated by V, 
and send a special message 'Start right session with inputs Xi,pki to V, who is given as additional input the 
secret key ski associated with pki, and a new random string as random tape; 5) output a special 'end attack' 
symbol, where we assume that this symbol is returned within time polynomial in n. 

In all cases, the prover P's (or verifier V's) reply (if any) to ^'s message is immediately delivered to A. 

The adversary's goal is that of completing a right session for which the verifier accepts even if the adversary does 
not know a witness for the associated statement. 

Let trrightiy) (resp., trieft{x)) be the transcript of an session generated by ,4 and V (resp., A and P) on 
common input x (resp., y) under one public key adaptively chosen by A, that was previously registered by a verifier 
V on the public file F. Also, we denote by A <— A{x, y, ■ ■ ■) the process of running the probabilistic algorithm A 
on input {x,y,. . .), and obtaining A as output. 

We consider the probability that V accepts the statement 'x^ G L' in a right session and the transcript of this 
interaction is different from any transcript in the left interactions. This probability is denoted as p\{xi) and can be 
formally defined as equal to: 

Prob[{pk,sk) ^ 1^(1"); ^^i(^i)'--f'^(^^)'^i(^i)'-^^(^^)(j9fc, Xi), V^(pfc, sfc, xj] = 1 Atrright{xi) ^ Q] 

Where V is one of the verifiers V^'s, the statements yi, y^, xi, Xj, are adaptively chosen by A, and 

Q = {tneftiVj) ■ 1 < i < s}- 

To define the extraction requirement, we note that the extractor acts in two phases: first, it interacts with the 
adversary A, by returning an 'extended' transcript extrright{xi) related to a particular right session. Specifically, 
extrright{xi) contains all messages exchanged between A and the extractor within a particular right interaction 
where the statement 'xj G L' is being proved. (Note that this is an extended version of trright{xi) as it may include 
messages exchanged across different executions of the same session due to multiple rewindings of A done by the 
extractor.) Second, a predicate p tries to extract a witness from extrright{xi), and is successful whenever p\{xi) 
is large enough. We stress that restricting the extractor in the APK model to return a witness based only on the 
particular transcript extrright{xi) (rather than, say, based on transcripts of all s{n) sessions) is necessary due to 
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the separation results in the BPK model of l30l ; in this latter paper, messages from other sessions may be used as 
witnesses for the current session. 

We are finally ready to define the two requirements of extraction and simulatability of A's view, and we can 
then define concurrently non-malleable zero knowledge argument of knowledge in the APK model. 

Definition 2.2 Let L be a language L in AfV and let i?^^ be its associated relation; let P and F be a prover and a 
verifier, respectively, in the APK model, and let /x : N ^ [0, 1] be a function (knowledge error). 

We say that pair {P,V) is a (black-box) concurrently non-malleable zero knowledge argument of knowledge 
(with knowledge error fi)for relation i?^ if it satisfies the following requirements: 

1. Completeness and Concurrent Zero Knowledge, as in Definition 12. II 

2. Extraction: For every polynomial s and every probabilistic polynomial-time man-in-the-middle adversary 
A that engages in at most s sessions in each part of interactions (left or right interactions), there exists a 
probabilistic polynomial time knowledge extractor £ and a polynomial-time predicate p, such that for all i, 
1 < i < s, if p[^{xi) > /x(n) then £, with access to A, returns extrj.ight{xi) and p{xi,pk, extrj-ight) returns 
Wi such that (xj, Wi) G Rl with probability differing from p\{xi) — p,{n) only by a negligible amount. 

3. Simulatability of A's View: There exists a probabilistic polynomial-time simulator Ai = [A4p,A4v] such 
that ^'s view View[^, P, V] in the real man-in-the-middle setting is computational indistinguishable from 
the view V±ew[A, A4p, My] simulated by M.. Here, V±ew[A, X,Y] is formally defined as the sequence 
of ^'s random coins, all common inputs and public keys, and the transcripts of all left and right interactions 
between A and any pro vers or verifiers executed using algorithms X and Y, respectively. 

Background tools. We recall definitions of known tools, as commitment schemes, signatures, and S-protocols, 
which will be useful in our main construction. 

Commitment schemes. A commitment scheme is a two-phase two-party (the sender S and the receiver R) interactive 
protocol with the following properties: 1) correctness: at the end of the second phase, R obtains the value commit- 
ted by S during the first phase; 2) hiding: commitment keys associated to two committed values are computationally 
indistinguishable by every probabilistic polynomial-time (possibly malicious) R*; 3) binding: after having com- 
mitted to a value m during the first phase, any probabilistic polynomial-time (possibly malicious) sender S* cannot 
open this commitment to another value m' ^ m except with negligible probability. We will mainly use commitment 
schemes where the first phase consists of 2 messages: one preliminary message sent by R, and one message sent by 
S; and the second phase consists of 1 message sent by S. Such schemes can be constructed assuming the existence 
of any one-way function families (using the scheme from f3T| and the result from |27|) or under number-theoretic 
assumptions (e.g., the scheme from |35|). Assuming the existence of one-way permutation families, a well-known 
construction of a commitment scheme (see, e.g. l22ll ') can be given where the first phase only consists of a single 
message from S. 

Signature schemes. A signature scheme is a triplet, [KG, Sig, Ver), of probabilistic polynomial-time algorithms. 
KG is the key-generation algorithm that on input the security parameter 1" generates a key pair {sig^k, ver_k). On 
input the signing key sig_k and a massage m algorithm Sig outputs a signature a for m, i.e, a=Sig{sig_k,m). 
Given {ver_k), a message m and a string a', algorithm Ver outputs 1 if a' is a valid signature for m, i.e, 
Ver{ver-k, a',m) = 1, otherwise outputs 0. 

We will use two properties of many signature schemes in the literature. 

We say a signature scheme is a one-time strong signature scheme, if for all probabilistic polynomial-time ad- 
versary, after received one valid signature of a message of its choice by querying the signing oracle, this adversary 
can not produce a different valid signature on any message even including the message he queried. We can get such 
signature schemes based on assumption of existence of one-way function families, for instance, from 1 19|. 
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We consider signature schemes that satisfy existential unforgeability against adaptive chosen message attack 
(first defined in 125 1). The security of such schemes is formalized in a scenario in which an adversary requests the 
signing oracle for signatures on a polynomial (in the security parameter n) number s{n) of messages at its choice. If 
for all polynomial s there is no probabilistic polynomial-time adversary which forges a valid signature on a message 
different from all messages he queried, we say that the signature scheme is secure against adaptive chosen message 
attack. As showed in |36|, One-way functions are sufficient for this type of signature. 

Ti-protocols. These protocols are defined as 3-round public-coin proofs of knowledge with some nice properties: 1) 
special soundness. Let (a, e, z) be the three messages exchanged by prover P and verifier F in a session. From any 
statement x and any pair of accepting transcripts (a, e, z) and (a, e', z') where e 7^ e', one can efficiently compute 
w such that {x,w) € R. 2) Special honest-verifier zero-knowledge: given the second message e and the statement 
X, we can compute an accepting transcript of form (a, e, z) that is computational indistinguishable from the real 
transcript between P and the honest V. 

Many known efficient protocols, such as those in l26ll and l38l . are S-protocols. Furthermore, there is a E- 
protocol for the language of Hamiltonian Graphs fV^, assuming that one-way permutation families exists; if the 
commitment scheme used by the protocol in [7J is implemented using the scheme in [SIJ from any pseudo-random 
generator family, then the assumption can be reduced to the existence of one-way function families, at the cost 
of adding one preliminary message from the verifier. (See previous discussion about construction of commitment 
schemes.) We will refer to this modified protocol as a 4-round Tj-protocol, and we will use the fact that any language 
in AfV admits a 4-round S-protocol under the existence of any one-way function family (or under an appropriate 
number-theoretic assumption), or a E-protocol under the existence of any one-way permutation family. We will 
also use partially-witness-independent S-protocols, where only the last message in these protocols depends on the 
witness of the proved statement, while all other messages only depend on (an upper bound on) the length of any 
such witness. Many S-protocols (including |7| for all ofNV) are partially- witness-independent. 

Interestingly, S-protocols can be composed to proving the OR of atomic statements, as shown in fT3l ITOl . 
Specifically, given two protocols So,Si for two relationships Rq, Ri, respectively, we can construct a T^qr- 
protocol for the following relationship efficiently: Rqr = ((a^O) ^^i), y) : {xq, y) G RQor{xi, y) E Ri, as follows. 
Let (xf,, y) € Rh and y is the private input of P. P computes a;, according the protocol Sf, using (xf,, y). P chooses 
ei-h and feeds the simulator M guaranteed by Si-j, with ei_;,, runs it and gets the output (ai_b, ei_b, -Zi-b). 
P sends a^, ai_{, to V in first step. In second step, V picks e randomly and sends it to P. Last, P sets = e © ei_b, 
and computes the last message z^, to the challenge Ch using x;,, y as witness according the protocol S;,. P sends e^, 
ei_fc, Zf,) and ei_b, to V. V checks e = efe©ei_f„ and the two transcripts (a;,, Cf,, z;,) and (ai_b, ei_fe, zi_ij) are 
accepting. The resulting protocol turns out to be witness indistinguishable: the verifier can not tell which witness 
the prover used from a transcript of a session. 

In our construction the verifier executes a So/j-protocol to prove the knowledge of one of the secret keys 
corresponding to his public key. Furthermore, as required in [161 . we need a partial-witness-independence property 
from this protocol: the message sent at its first round should have distribution independent from any witness for the 
statement to be proved. We can obtain such a protocol using l38l . fljil . 

3 Constant-Round Concurrently Non-Malleable Zero-Knowledge Arguments of 
Knowledge in the APK Model 

In this section we present our main result: under general complexity assumptions, we present a constant-round 
concurrently non-malleable zero-knowledge argument of knowledge for any polynomial-time relation in the APK 
model. We describe our result as a transformation that, under general complexity assumptions, applies to any S- 
protocol (that is, an argument of knowledge with negligible knowledge error that satisfies special soundness and 
special honest-verifier zero-knowledge). Formally, we obtain the following 
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Theorem 3.1 Let L be a language in J\fV, let Rl be the associated polynomial-time relation, and assume that 
there exists a S-protocol for R^. In the APK model, if there exist one-way function families, then there exists a 
constant-round (black-box) concurrently non-malleable zero-knowledge argument of knowledge for R^. 

An important consequence of this theorem is that under the existence of one-way function families, we obtain a 
constant-round (black-box) concurrently non-malleable zero-knowledge argument of knowledge for Ri, for any 
language L in NV. 

Remarks on complexity assumptions, round and time efficiency. We note that the complexity assumption sufficient 
for our transformation is the weakest possible as it is also necessary for non-trivial relations, due to one of the many 
consequences of the main result in |28|. The above statement for our main result focuses on strongest generality 
with respect to complexity assumptions and neglects round-optimality and time-efficiency of prover and verifier. 
However, we note that our transformation takes 5 rounds when implemented using arbitrary one-way function fam- 
ilies, and can be implemented in only 4 rounds (which is optimal, due to a result in (23^ ). when implemented using 
one-way permutation families (see also discussion at the end of Section|2lfor the assumptions and rounds required 
to implement S-protocols for A/^P-complete languages). Furthermore, we note that time-efficient instantiations 
of our transformation, which incur only 0(1) (a small constant) additional modular exponentiations, are possible 
under appropriate number-theoretic intractability assumptions, as we show in Section ITTl 

Informal description of the difficulties solved by our transformation. The natural starting point for our transfor- 
mation is the concurrently non-malleable zero-knowledge argument of knowledge in the CRS model from Ii20l . 
Informally speaking, this protocol goes as follows: the prover first generates a key pair {sk', vk') of a one-time 
strong signature scheme, then sends vk' and proves (using a Soi?-protocol Hp) that either he knows a witness for 
the statement to be proved or he knows a valid signature of vk' under a signature verification key vk from the 
common reference string. In the last step, the prover signs on the whole transcript of this session using sk' and 
sends the signature to the verifier. Furthermore, the simulator for this protocol uses its knowledge of the secret key 
associated with the signature verification key vk in the common reference string. 

A first way to adjust this protocol so that it might work in the APK model is as follows. Instead of taking vk 
from the reference string (which is not available in the APK model), we require the verifier to choose vk, and to give 
to the prover a witness-indistinguishable proof that the verifier knows the secret key sk associated with vk (note 
that omitting this latter proof might make it easier for cheating verifiers to violate the zero-knowledge requirement). 
Unfortunately, several standard attempts to present a proof for this protocol actually fail, one major problem being 
in the fact that an algorithm trying to use a cheating prover to break the signature scheme seems to need itself 
knowledge of the signature secret key in order to be able to use the cheating prover's power. (This does not lead to 
a contradiction of the security of the signature scheme.) 

A second adjustment to this protocol is as follows: the verifier chooses two signature verification keys vko,vki 
(rather than one), and proves knowledge of at least one of the two associated secret keys to the prover. Analogously, 
the prover proves knowledge either of a witness for the statement to be proved or of a valid signature of vk' under 
any one of the two signature verification keys vk^, vki. Unfortunately, even after this additional fix we cannot rule 
out malleability interactions between the verifier's and the prover's subproofs in this protocol. (A similar situation 
was detailed in 1 16|, where a specific message schedule was given, and it was showed that a malicious prover could 
use this schedule and malleability attacks to elude extraction attempts. Unfortunately, a fix based on the solution to 
this problem proposed by fT6ll would result in an inefficient protocol that would require 0(1) exponentiations for 
every bit of the security parameter. 

Our final fix is that of asking the prover to commit to a random string and prove the knowledge of either 
a witness for the statement to be proved or a valid signature of vk' under one of the two signature verification 
keys vkQ,vki, where this signature is equal to the value that the prover committed to. We will show that with 
this combination of signatures and commitments we avoid the malleability attacks from fT6ll efficiently (i.e., we 
show instantiations of the overall transformation under appropriate number-theoretic assumptions that only require 
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The protocol {P, V) 

Security parameter: 1". 

Common input: the public file F, n-bit string x G L, an index i that specifies the i-th entry 
pki — {ver_ko,ver_ki) in F, where {ver_ko,ver_ki) are two verification keys of two signature schemes 
{KGq, Sigo, Vero) and {KGi, Sigi, Veri) that are both secure against adaptive chosen message attack. 
The Prover's private input: a witness w for x G L. 

V^s Private input: a secret key sk (sk is one of the signing keys coiTesponding to {ver.ko,ver-ki), i.e, 
sk = sigJiQ or sigJti. 

P Step 0: 

compute and send to V the first message of a 4-round and partially-witness-independent T,or- 
protocol IIu in which V will prove knowledge of sk that is one of the signing keys {sig-ko, sig-ki); 

V Step 1: 

compute and send to P the second message of the 4-round Eofl-protocol compute and send 
to P the first message / of a 4-round Sofl-protocol Hp in which P will prove to V that it knows a 
witness for statement a; G L or the decommitment (r, s) for C, where s is a valid signature of vk' 
corresponding to Vera or Veri ; 

P Step 1: 

1. generate a key pair {sk' ^ vk') for a one-time strong signature scheme {KG' , Sig' , Ver'); 

2. choose a random string s of the length of a signature; pick a random string r and compute the 
commitment key G = GOM{s,r); 

3. compute and send to V the second message a of the 4-round Eo/f-protocol 11^; 

4. send vk', C, a and a random string (i.e., the challenge of the E-protocol) as the third message of to P; 

V Step 2: 

1. compute the fourth message of protocol Hy according to the challenge sent by P in P Step 1; 
send this message to P; 

2. send a random challenge e of protocol Hp to P ; 

P Step 2: 

check whether the transcript of protocol n^, is accepting; if so, compute the last message z of pro- 
tocol Hp; let tran denote the transcript of above interaction (i.e, the whole sequence of messages 
sent between parties, including z); compute the signature S=Sig'{sk' , tran) and send z, 6 to V; 

V Step 3: accept if and only if (/, a, e, z) is an accepting transcript of Hp and Ver'{vk' , 6, tran) = 1. 



Figure 1 : The concurrently non-malleable ZK argument of knowledge in the APK model. 

0(1) additional exponentiations) and only using general complexity assumptions, such as the existence of one-way 
function families for the 5 -round variant and of one-way permutation families for the 4-round variant. On the other 
hand, as we allow the man-in-the-middle adversary to register its own public keys, the analysis of security is more 
involved: our proof of the extraction property of this protocol makes a novel combined use of concurrent scheduling 
analysis and signature-based simulation arguments. 

proof of theorem 3.1. The proofs for the properties of completeness and concurrent zero-knowledge of our 
protocol are very similar to proofs given in other papers (see, e.g. l20l[T6ll39l ). and we omit them here for the sake 
of space. Instead, in the rest of this section we focus on the most interesting property of extraction. (The property 
simulatability of A's view follows directly from the proof of extraction). 

Extraction. We now prove that the protocol (P, V) from Figure 1 is an argument of knowledge with negligible 
knowledge error. Let ^ be a probabilistic polynomial-time man-in-the-middle adversary A that engages in at most 
s{n) sessions in each type of interactions (left or right interactions), for some polynomial s. We would like to 
show a probabilistic polynomial-time knowledge extractor £ and a polynomial-time predicate p, such that for all 
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i, 1 < i < s, if p\{xi) is not negligible, then £, with access to A, returns extrj-ighti^i) and p{xi,pk, extrright) 
returns Wi such that (xj, Wi) € Rl with probability differing from ^^(xj) only by a negligible amount. 

Without loss of generality, we can assume that A interacts with only one honest verifier V (that is, all right 
interactions use this specific V's public key), and interacts with many provers under any public keys chosen by 
A from the public file F (the extension to the general case with right interactions with multiple honest verifiers is 
straightforward). Then we can assume that A engages in at most s left interactions and makes V accept at the end 
of the i-th right session on input statement Xi ^ L with a probability p\{xi) that is not negligible, and the transcript 
of this session is different from any transcript in the left interactions. For such A, we construct an extractor £ and a 
polynomial-time predicate that satisfy the extraction requirement in Definition l2.2l The extractor £ is active in both 
stages: the preprocessing stage and the proof stage. 

The extractor in the preprocessing stage. On input the security parameter 1", £ generates two key pairs {sig-kQ,ver_ko) 
and {sig-ki,ver_ki) for the signature scheme secure against adaptive chosen message attack; then, it registers the 
public key pk = {verJto, ver_ki) on the public file and keeps sigJih as its secret key (it also stores sigJii-h, which 
will be important for the extractor to successfully extract a witness), where 6 is a random bit selected by £. Then £ 
runs ^'s key generation algorithm and gets its outputs, i.e., a polynomial number of public keys that A registers on 
the public file during the preprocessing stage. At the end of this stage, all parties are assumed to obtain the (same) 
public file. 

The extractor in the proof stage. We first explain informally a high-level view of algorithm £ in this phase. First 
of all, upon receiving in a left interaction an accepting conversation of a subprotocol 11^, where A plays as the 
prover within n^^, £ extracts the secret key associated to this execution of H^. Every single one of these extractions 
is successful due to the extraction properties of the S-protocol n^,. We note here that ^'s success with high 
probability to complete executions of n^, does not mean that A actually knows the secret keys corresponding to 
those public keys it chooses, as he may learn from right sessions to prove that he knows these secret keys; still, if 
the probability of A success is high, £ can extract these secret keys (this is why we can use 'potentially malleable' 
proofs of knowledge as subprotocol n^,). Moreover, all these extractions can be successfully performed by multiple 
rewindings as in the extractor used in many other papers (e.g., the main protocol in fTT|), and since there are at 
most a polynomial number of such secret keys, the expected number of rewindings is polynomial and this entire 
process takes at most expected polynomial time. These secret keys allow £ to successfully simulate both the prover 
in the left interactions (as using a secret key it is possible to compute in polynomial time a witness for the statement 
proved using subprotocol Hp) and the verifier in the right interactions (as sig^kf) is itself a witness for the statement 
proved using subprotocol 11^,) with A during the proof stage. A correct simulation of the interaction with A is 
necessary for £ to later perform one more extraction in correspondence of the i-th right session, and thus obtain 
the desired witness. The hard part is then to prove that £ actually obtains a witness for Rl, rather than a signature 
that A somehow was able to obtain by some malleability attack; this proofs uses the properties of all three tools of 
commitments, signatures and partially-witness-independent S-protocols, and is detailed later. 

We now proceed more formally with the description of £ in the proof stage, by describing f s instructions with 
respect to each message type sent by A: 

1 . upon receiving start left session with inputs y ( the statement to be proven ),pk from A: £ starts a left interaction 
with inputs y, pk', playing as the prover in 'P step 0' (thus sending the first message of the 4-round S-protocol 

2. upon receiving start right session on input x,pk from A: along with this request, £ also receives from A the 
message computed according to 'P step 0'; then £ computes a message as in 'V step 1' and sends it to A; 

3. upon receiving a message generated as in 'V step V (left interaction) on input y,pk': if the secret key 
corresponding to pk' has not been extracted yet and pk' ^ pk, then £ sends to ^ a message computed as 
in 'P step 1'; otherwise pk' = pk or £ has already extracted the secret key associated with pk': in the 
former case, £ flips a random bit j, generates a key pair [sk' , vk') for the one-time strong signature scheme 
and computes the signature sig = Sigj{sig-kj,vk') (note that £ stores both sig_ki, and .sig_ki_f,) and 
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computes c = COM( sig, r) by choosing a random string r, and finally executes the protocol Hp using the 
witness (sig, r); in the latter case (secret key sig^ka, associated with a public key generated by A during 
the preprocessing stage, has been already extracted), the protocol lip is executed as in the previous case by 
using sig-ka to computes a witness; 

4. upon receiving a message generated as in 'P step 1 ' ( right interaction ) on input x,pk: £ sends to ^ a message 
computed as in 'V step 2'; here, the witness used by £ to successfully complete the subprotocol n„ is the 
secret key sig Jib that £ generated in the preprocessing stage; 

5. upon receiving a message generated as in 'V step 2' (left interaction) on input y,pk': £ checks whether the 
obtained transcript of subprotocol 11^, is accepting and pk' ^ pk; if so, it runs the extractor associated with 
the S-protocol liy to extract the secret key sigJza associated with pk'; once this extraction is completed, £ 
rewinds A until right before the message generated in 'P step 1' is sent to A, and runs a modified version of 
'P step r, where the modification is exactly as done in item 3 above; 

6. upon receiving a message generated as in 'P step 2' (right interaction) on input x,pk: £ checks whether the 
transcript of subprotocol Up in this right session is accepting; if so, it runs the extractor (using the rewinding 
technique) for the S-protocol Up, returns the entire conversation extrright{x) between A and the extractor 
for the S-protocol Up and halts. 

The predicate p is simply defined as the algorithm that, on input Xi,pk, extrright{xi) (with respect to the ith right 
session), writes extrj-ighti^i) as a pair of conversations of the 4-round E-protocol Up; if both conversations are 
accepting, p can compute a witness for 'xj € L', by using the properties of the extractor for S-protocols. 

We start by noting some facts about the above construction of £, p and later prove that they satisfy Definition l2.2l 
First of all, we note that £ successfully simulates ^'s view in the right interactions; this can be seen by noting 
that in items 2 and 4 of £'s construction, the next message for A is generated identically as in V's algorithm. 

Furthermore, we note that £'s simulation of ^'s view in the left interactions only differs from ^'s view in 
a real execution of A's attack in the following: instead of the witness Wi for G L, the secret key is used to 
compute a signature that is the witness used in subprotocol Up. We will show that this difference is computationally 
indistinguishable by A, or otherwise we can use A to violate the witness-indistinguishability of n^, or the binding 
property of the commitment scheme used. To prove this, we construct a non-uniform hybrid simulator taking as 
input all these secret keys and all the witnesses of statements in the left interactions, which computes commitments 
exactly as £ does and executes lip using the same witness of the statement used by the honest prover. It is easy to 
see that the transcript generated by the hybrid simulator is indistinguishable from both the one in real interactions 
and the one generated in the extraction. Now we can claim that £, running in expected polynomial time, can output 
a valid witness w' with probability negligibly close to p^(xj). Then, if £ extract the witness w' successfully, one of 
the following two events must occur: 
Event 1: {xi,w') G Rl; 

Event 2: w' = (sig', r), c = COM(sig', r)) and sig' is a valid signature of vk' corresponding to ver_ko or 
ver_ki. 

If we prove that Event 2 occurs with negligible probability, the proof of Theorem 13.11 is complete. Then, in 
the rest of the proof we concentrate on proving that event 2 occurs with negligible probability, or otherwise we 
can contradict at least one of these three properties: the unforgeability of the signature scheme, the binding of the 
commitment scheme, or the witness-indistinguishability of the S-protocol used. 

We start by assuming (towards contradiction) that the probability that Event 2 occurs is not negligible, and we 
construct a non-uniform algorithm B with access to a signing oracle that plays similarly to the extractor £ and 
attempts to violate the security against adaptive chosen message attack of scheme {KGi-b, Sigi-b, Veri^b)- 

The non-uniform algorithm B is given access to the signing oracle of the signature scheme (KGi_;,, Sigi^b^ 
Veri^b)^ taking as auxiliary input pk = {ver_ko,ver_ki, sigJib) generated by the extractor £, invokes the adver- 
sary A, feeds it with the public key {ver_kQ,ver_ki) and works in exactly the same way as £. Note that in this 
extraction process executed by B, When A start a session under the public key generated by £ (i.e., pk) in left 
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interactions and B flips a bit j ^ h, B can obtain the signature on a verification key vk' of the one-time signature 
scheme (generated by itself) by querying the signing oracle of {KGi-i,, Sigi-b, Veri-t,). We then denote as w'j^ 
the witness extracted by B at the end of its execution, and as vk'jg the public key associated to the i-th right interac- 
tion, the latter being defined as the interaction where B is successful in rewinding the adversary A, obtaining two 
different transcript of Hp, and thus computing it;^. 

Note that S and B implicitly define two extraction procedures, to which we will hereon refer as Extg and Exts- 
We note that .4's view is the same in both Exts and Ext^, and therefore event 2 occurs in Exts with exactly the 
same probability as that of Event 2 occurring in Extg. 

The proof continues with the following two claims. 

Claim 1. Let p be the probability that Event 2 occurs in Exts, and q be the probability that the algorithm B 
outputs a signature sig^ (contained in w'jg) such that {Veri-b{ver-ki-b, sigg, vk'jg) = 1. If p is non-negligible, 
then so is q. 

Assume, towards contradiction, that Claim 1 is false; that is, p is non-negligible, and q is negligible. We 
now show that this contradicts either the witness indistinguishability of 11^ or the computational binding of the 
commitment scheme COM. 

We first note that during the above extraction procedures Ext^ and Exts, the view of A in the left interactions 
is independent of b (Note that in the executions of a left session under the public key pk, £ or B randomly choose 
one of two secret keys associated with pk and use this secret key to compute a witness). If the probability q is 
negUgible, this implies that if B always uses the witness sigJkf, to execute 11^ during the extraction (i.e, Exts), 
B always outputs a signature corresponding to ver_kb except with negligible probability. Let / be the number of 
right sessions^ executed before the end of session i; by standard hybrid arguments, there must be j G {1, 
such that if B uses the witness sigJn, to execute in jth right session, it will output a valid signature under 
verJtb with probabiUty at least {p — q)/l (note that the probabiUty that it outputs a valid signature under verJii^b 
is still negUgible). It is easy to see that if the j-th proof (i.e., the jth execution of -k^) in the right interactions 
has been completed before 'P Step 1' in the i-th right session, A can be used to break the property of witness 
indistinguishability of 11^ (it distinguished which witness used in the jth proof) because during the extraction we 
do not rewinds the jth right proof^. If the j-th proof in the right session completed after the P Step 1 in the i- 
th session, we can construct a non-uniform algorithm B' to break the computational binding of the commitment 
scheme COM. 

The non-uniform algorithm B' takes as auxiliary input [ver^ko, ver^ki, sig^ko, sigJii) (with input both signing 
keys), feeds A with the public key (ver_fco, ver^ki) and runs ^'s key generation algorithm to get all pubUc keys of 
A. Then it performs the following extraction: 

1. Simulation: acts exactly like £ in left simulation in extraction. For the simulation in right interactions, B' 
picks a random bit b and uses sigJ^b as witness in all right proofs (i.e., the right executions of 11^) until it 
received the message a in P Step 1 in the i-th right session (Let / be the first message of Hp in this session). 
After received a, B' continues independently in the two following games; 

2. Game 0: B' uses sig_kQ as witness in all right proofs (including the jth proof) that completed after P Step 1 
in the ith right session to end the whole extraction. After B' obtains a accepting transcript (/, a, cq, -Zo) of Hp 
in the z-th right session, it rewinds to the point of beginning of V Step 2 in z-th session in the right interactions 

'when B rewinds A to get his secret keys during the left extraction in Exts, A may rewind B in right interactions and this may result in 
some new right sessions. The "right sessions" mentioned here do NOT include this kind of right sessions (generated during left extractions). 

^Indeed, the jth (right) proof may be rewound by A due to left extraction (in order to get the adversary's secret key). However, we note 
that the transcript during the left extraction does not appear in A'i view because after rewinding A each time B resets A to its state just 
before the rewinding (so the ^'s memory of the conversation during left extraction is "deleted"). In another words, if the jth proof (given 
by the verifier) in the right interactions has been completed before the 'P Step 1' in the i-th right session, A does not see any rewinding of 
the jth right proof. 
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and replays this step by sending another random challenge c'q ^ cq until he gets another accepting transcript 

/, a, 60,2^0 of Hp. 

3. Game 1: repeats Rewinding Game twice and obtains two accepting transcript (/, a, ei, zi) and (/, a, e[, z[) 
of Hp, but in this game B' uses sig_ki as witness in all right proofs (including the jth proof) that completed 
after P Step 1 in the ith right session to end the whole extraction. Since the II^ is partial-witness-independent, 
and note that a proof that completed after P Step 1 in the ith right session means A has seen at most the first 
message of V (i.e., V step 1) in that proof, so B' can choose different witness to complete those right proofs 
after A sent the first message a of Up (P Step 1) in the ith right session. 

Note that the message a sent by A in the ith right session contains a commitment C and a verification key 
vk' of a one-time strong signature scheme. Clearly, with probabihty negligibly close to p^, B will output two 
valid witness w'q = (sigg,ro) and w'l = (sig']^,ri) from the above two games such that the following holds: 
sigg = SigQ{sig_kQ,vk'), sig'^ = Sigi{sig_ki,vk') , c = COM(sigo,ro)) and c = COM(sig'^, ri)). This 
contradicts the computational-binding property of the scheme COM. 

In sum, if the event 2 occurs in Ext e with a non-negligibly probability p, the algorithm B can output a signature 
sigg of vk'g such that {V eri^i,{ver _ki_i), sigg, vk'^) = 1 with a non-negligible probability. If B did not query 
the signing oracle on the message vk'^, it breaks the scheme {KGi^i, Sigi^h, Veri_h)- 

Claim 2. vk'jg is different from any verification key of the one-time strong signature scheme {KG', Sig' , Ver') 
generated by B in the left interactions. 

Assume otherwise, vfcg appeared in the transcript of jth left session for some I < j < s, which we denote 
with trj^j^ and trj^^^ = {trauj, 6j) according to our notation. Let tr^-gf^^ = {trarii, 6i) be the accepting transcript 
in the ith left session before B rewinds. Then, we have Ver'{vk'^,tranj,6j) = 1, Ver'{vk'i^, trarii, 6i) = 1 and 
trj^j:^ 7^ ^'^L/t (according to the definition 3), thus one the following two cases must occur: 1) tran^ / tran^, this 
means A produced a valid signature on a different message; 2) 6j / 6i, this means A produced a valid different 
signature (on a possibly different message). It is clear that in both cases A violates the security requirements of a 
one-time strong signature scheme. □ 

3.1 Efficient Instantiations of Our Transformation 

We present two efficient instantiations based on Pedersen's commitment scheme (based on DL assumption) f 351 and 
Elgamal commitment scheme (based on DDH assumption) respectively. For the signature schemes, we employ the 
Boneh and Boyen's short signature scheme (based on Strong DH Assumption)! 6 1 and the one-time strong signature 
scheme in IT9ll . We first note that when we make the assumptions underlying these specific schemes, our protocols 
Up and Uy can be reduced into 3-round protocols, and still enjoys the partially-witness-independent property. 
We now briefly recall these schemes. 

The Boneh and Boy en 's scheme. This scheme is based on bilinear map and its security relies on the strong Diffie- 
Hellman Assumption. Let Gi and G2 are two cyclic groups of prime order q with generators gi, g2 respectively, ijj 
is an efficiently computable isomorphism t/j : G2 —>■ Gi with ip{g2) = gi- We say [Gi, G2) are bilinear groups if 
there exist a group Gt, an isomorphism ijj defined above, and a bilinear map e : Gi x G2 ^ Gt such that for all 
u € Gi, V e G2 and a,b £ e{u"-, v^) = e{u, v)"-'' and e{gi,g2) / 1. 

The signature scheme operates as follows: 1) Key generation algorithm KG. Pick a random generator g2 <— h 
G2 and set gi = ^'(52)- Pick random x,y Z*, and compute n ^ gif ^ G2 and u ^ (7! € G2. Also 
compute z ^ e{gi,g2) G Gt- The verification key is {gi, g2,u,v, z), the signing key is {x,y). 2) Signing 
algoritlim Sig. Given a signing key x,y € and a message m S Z*, pick a random r <— Z* and compute 

a <— g Here l/{x + m + yr) is computed modulo q. In the unlikely event that x + m + yr = 

we try again with a different random r. The signature is {a, r). 3) Verification algoritlim Ver. Given a verification 
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key {gi,g2,u, v, z), a message m G Z*, and a signature {a, r), verify e{a, u- ■ v^) = z, if this is the case, output 
valid, otherwise output invalid. 

Pedersen's commitment scheme. Let p, q be two primes such that p = 2q + l,\q\ = n, where n is the security 
parameter, and let Gq denote the subgroup of Z* with order q in which the DL problem is hard and 5 is a generator 
of the subgroup. To commit a value, the receiver chooses a random numbers x € first (this results in the verifier 
sending this random value in V step 1 in the protocol depicted in figure 1), computing h = g^, and sends h to the 
sender. Then the sender S commits to a value y as follows: it randomly chooses r G Z^, computing C = g^lf , 
send C to the receiver. To decommit a commitment C, the sender delivers y and r. The binding property of this 
commitment scheme lies in DL assumption on the subgroup Gq. We note that this scheme enjoys perfect-hiding 
property: the distribution of the commitments is indistinguishable for all powerful receiver R*. 

Elgamal commitment scheme. It is a basic application of Elgamal encryption scheme. Let p, q,g, Gq as de- 
scribed above, but in this scheme we assumes that the DDH problem in Gq is hard. To commit a value y, the 
sender S chooses a random numbers x € Zg and computes h = g^ (note that the sender chooses x itself and the 
committing stage does not require interaction), then it commits to a value y as follows: it randomly chooses r G Zq, 
computing G = {g^ ,gyh^), send C to the receiver. To decommit a commitment c, the sender delivers y and r. The 
hiding property of this commitment scheme lies in DDH assumption on the subgroup Gq, and this scheme enjoys 
perfect-binding property: it is impossible to open a commitment G in different way for all powerful receiver S*. 

In the following specific instantiations, we use the same prime q in both the Boneh and Boyen's scheme and 
the commitment schemes, therefore the length of the each part of the signature {a, r) is [log2(7j. Let \a\ be the 
integer representation of a, clearly \a\ is in Z^ which is the message space of the Pedersen's scheme. We assume 
without loss of generality that the length of the public key vk' of the efficient one-time strong signature scheme is 
\loq2q\, the message size required by the the Boneh and Boyen's scheme (in fact, we can sign arbitrary message 
by hashing it first without loss of security, see ll6l). 

It is easy to instantiate the protocol n„ in which the verifier prove the knowledge of the secret key of the The 
Boneh and Boyen's signature scheme by using the well-known proof of knowledge of one out of two discrete 
logarithms. Now, consider the following two statements, where the common input consists of a commitment key G, 
signature verification keys generated according to the key-generation algorithm of the Boneh and Boyen's schemes 
and a message m (i.e, the verification key of the one time signature scheme): 

1. There exist a, r such that G = COM{a,r) and a is a valid signature of m under one of two signature 
verification keys, according to Boneh and Boyen's signature verification algorithm. 

2. There exist a, r such that C = GOM{a, r ) and a is a valid signature of m under a given signature verification 
key, according to Boneh and Boyen's signature scheme. 

We observe that if we can design an efficient S-protocol for statement 2, then we can apply the OR-composition 
technique discussed in Appendix ??, and obtain an efficient S-protocol for statement 1. Therefore, we focus on 
giving an efficient instantiation of a E-protocol for statement 1. (We stress that the S-protocol for statement 2 
based on El Gamal's commitment scheme satisfies only special honest-verifier computational zero-knowledge, and 
so does the corresponding S-protocol for the statement 1.) 

The S-protocols for the statement 1 based on Pedersen's commitment scheme and the Elgamal commitment 
scheme are depicted in Figure 2 and Figure 3, respectively. The common input consists of two commitments Ci, 
G2 to the signature ( \a\ , r) (where Ci is a commitment to [uj and C2 is a commitment to r), the verification key 
(51 ,g2,u,v,z) of the Boneh and Boyen's scheme, parameters g,h,p,q of Pedersen's scheme and message m. 

Ideas behind the Tj-protocols for statement 1. Our proof system combines the following two subprotocols: (1) a 
proof of knowledge of the value committed to by the commitment key (for Pedersen's scheme, the proof system of 
this statement is proposed in l32l '): (2) a proof that the value contained in the commitment is a vlid signature on a 
known massage. This can be done as follows: first the prover generates A and F (see figure 2 and figure 3) on which 
the verifier will check whether these element pass a randomized variant of the signature verification equation (we 
note that it is possible to see that sending both F and t will not harm the prover, as Boneh and Boyen's signatures 
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are properly randomized). Then the prover sends three specific element B, D and E whose purpose is to show that 
the signature determined by F and V matches the value committed to in the commitment. 

For clarity of description, we omit specifying the groups over which the exponentiations are performed, as they 
are clear from the context. 



The common input: Ci, 


C2, igi,g2,u,v,z,Gi,G2, 


Gt), ig,h,p,q),m 


The Prover's private input: (a, r) , n , r2 




Prover 




Verifier 


t, Si, S2,ti,t2 






Ml ^ g^i/i*imodp 


























t,Mi,M2,A,B,D,E,F 






e 




2/1 ^ Si + efajmodg 






Zi ^— ti + erimodg 






2/2 ^ S2 + ermodg 






^2 + er2modg 


2/1,^1,2/2,^2 








Verifier accepts if only if: 






CfMi = gy^h^^iaodp; 






CIM2 = gy^h^-'modp; 






vy-^ = A^B; = D^E; 






e{F, ug!pA) = z* 



Figure 2. The S-protocol for the statement 1 based on Pedersen's commitment scheme, i.e., proof of relationship 

{{{Ci,C2,gi,g2,u,v,z,g,h,p,q,m);{a,r,ri,r2)) \ Ci = g^^'ih'^^ A C2 = g'^K''^ Ae{a,ug'^v'^) = z}. 

For the S-protocol based on Pedersen's commitment scheme, it is easy to see that we can compute the witness 
from two different transcripts (a, e, z) and a, e', z' of two executions of above protocol. Special honest-verifier zero- 
knowledge is also clear: given a challenge e, a simulator randomly chooses s r Z* and computes a gf e Gi, 

picks t Zq, yi Zq, 1)2 <— _R Zq, zi <— Zg and Z2 Z^; then, it computes Mi ^ g^^ h^^ Ci^modp, 
M2 ^ gy''h^''C:^''modp, F ^ £ d, D ^ ^tkJmodg ^ ^ ^ ^ep-yi d, A ^ u-^g^'^gl^' £ G2, 
B <— v'y^A^'^ € G2, and it is easy to check that the "transcript" generated in this way is with the same distribution 
of the real execution. Note that the Boneh and Boyen's scheme requires {x + m + yr) G Z*, and this is why the 
simulator can randomly choose s from Z*. 

We can analyze the S-protocol based on Elgamal commitment scheme in similar way, but this protocol enjoys 
only special honest-verifier computational zero-knowledge. 
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The common input: Ci = (Cii,Ci2), C2 = {021,022), {g 


i,52,u,w,2;,Gi,G2,Gt), 


i9,h,p, q), m 




The Prover's private input: {a, r),ri, r2 




Prover Verifier 




t, Sl, S2, tl,t2 ^B. Zq 




Mil ^ 5*^ mo dp 




M12 ^ g^^h'^modp 




M21 <— g'^modp 




■'-'i- 2,2. y 








D ^ ut\(T\modq 




E ^ cr*''i">°dq ^ ^ t, Mil, M12, M21, Af22, A, B, D, E, F 

7 1 -L-i*? i-ij^ 7 7 7 7 

> 




^ ii; ^q 
< 




1 r 1 1 
yi ^ Sl + e| (Tjmodq 




zi ^ ti + erimodq 




2/2 <^ S2 + ermodg 




^2 ^ ^2 + er2modg yi,zi,y2,Z2 

> 






Verifier accepts if only if: 




OfiMii = mo dp; 




CfaMia = ^''i/i^imodp; 




CI1M21 = .g^^modp; 




C|2Af2i = gy-'hr-'modp; 








e{F,ug^i^A)^z' 



Figure 3. The E-protocol for statement 1 based on Elgamal commitment scheme, i.e, proof of relationship 

{{{Oii,Oi2,02i,022,gi,g2,u,v,z,g,h,p,q,m); {(T,r,ri,r2)) \ (Cii,Ci2) = {g''\ g^'^'^hT^) A (C2i,C22) = 

{g^-,g-h^-)Ae{a,ug^vn=z}. 

4 Impossibility Result for Concurrently Non-Malleable Zero-Knowledge in the 
BPK model 

In this section we ask the natural question of whether it is possible to further reduce the setup assumptions used in 
Section|3]for the construction of concurrently non-malleable zero-knowledge arguments of knowledge. We consider 
the setup assumptions of the BPK model. Due to the lack of authenticated access to the public file (as in the APK 
model), no assumption is made in the BPK model about guaranteeing that the public file is correctly read from 
provers at any time during the proof stage. In other words, if we consider (without loss of generality) any prover's 
action of reading the public file as a message exchange between this prover and the public file site, we allow the 
communication between the prover and the public file site to be unauthenticated, and thus subject to modification 
by a man-in-the-middle adversary. As a consequence, we obtain the following negative result: 

Theorem 4.1 Let L be a language and let Ri be the relation associated to L. If in the BPK model, there exists a 
concurrently non-malleable zero-knowledge arguments of knowledge for i?^, then L is in BPP 

As the APK model can be seen as a minor strengthening of the BPK model, this negative result seems to imply 
that the setup assumptions that are sufficient in Theorem 13. ll to obtain concurrently non-malleable zero-knowledge 
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arguments of knowledge for relations associated with non-trivial languages, are essentially optimal. In other words, 
the above result says that authenticated communication between all provers and the public file site is a necessary 
assumption to obtain these protocols. The proof of Theorem 14. II is obtained by transforming a concurrently non- 
malleable zero-knowledge arguments of knowledge for Rl in the BPK model into one for the same relation in 
the standard model (that is, without setup assumption), and then invoking the result of |29|, which says that such 
protocols, even regardless of their (polynomial) round complexity, are only possible for relations associated with 
trivial languages in the standard model. 

proof of theorem 4.1. The proof is obtained by transforming a concurrently non-malleable zero-knowledge 
arguments of knowledge for Rl in the BPK model into one for the same relation in the standard model (that is, 
without setup assumption), and then invoking the result of |29|, which says that such protocols, even regardless of 
their (polynomial) round complexity or simulation paradigm (black-box or non-black-box), are only possible for 
relations associated with trivial languages in the standard model. 

Let, (P, V) be a concurrently non-malleable zero-knowledge arguments of knowledge for Ri'm the BPK model; 
here, V = (Vi, V2), where Vi runs in the preprocessing stage and V2 runs in the proof stage. 

We define a protocol (P', V') in the standard model as follows. V' divides its random tape in two parts (of 
appropriate length) as ri||r2; then, it first runs Vi on input the security parameter 1" and using ri as randomness, 
thus obtaining {pk, sk) and sending pk to P'; then it continues running V2 using r2 as randomness. P' is almost 
identical to P, the only difference being that whenever P uses the value pky from the public file, P' uses the value 
pk received from V'. Here, we assume without loss of generality that P sends the first message in the execution of 
(P, V), if not, we should add another P' step: after receiving the public key pk from V, P' replies with a message 
T received pk' and then both parties continue as discussed above (i.e., V' runs V2 and P' runs P). 

We now need to show that (P', V') is a concurrently non-malleable zero-knowledge argument of knowledge 
in the standard model, under the assumption that (P, V) is a concurrently non-malleable zero-knowledge argument 
of knowledge in the BPK model. To that purpose, we first show how to formally define the notion of concurrently 
non-malleable zero-knowledge argument of knowledge in the BPK model, and recall the definition of concurrently 
non-malleable zero-knowledge argument of knowledge in the standard model. 

The definition in the BPK model. We note that concurrently non-malleable zero-knowledge argument of knowledge 
in the BPK model can be formally defined almost identically as in the APK model, the only differences being the 
following. First, the equality Fp = F does not hold any more in the BPK model; that is, each prover P's access 
at time t to the public file F may return a file Pp ^ that may not be equal to F due to adversarial action from a 
man-in-the-middle (Though each prover can keep the file in local memory. The adversary still can invoke different 
provers in the left interactions, and these provers do not aware the existence of each other, thus the public file kept 
by a prover may be different form the one kept by another prover). Second, in modeling the adversary ^'s man-in- 
the-middle attack, for sake of generality we consider the worst possible behavior from A, where each prover P's 
access at time t to the public file F may return a file Fp^t,A that is arbitrarily chosen by A. The requirements of 
completeness, concurrent zero-knowledge, extraction and simulatability of ^'s view are consequently modified. 

The definition in the standard model. We note that concurrently non-malleable zero-knowledge argument of knowl- 
edge in the standard model were first defined in |17|, where the extraction property says that for each adversary 
who plays as a man-in-the-middle and is given access to a polynomial number of provers in left interactions, there 
exists a simulator that is not given access to such provers and is essentially as successful in making the verifier in 
the right interaction accepts. In the same paper, it was also showed that the property guaranteeing extraction of a 
valid witness from the adversary implies the concurrent non-malleability property of the given protocol. 

Rest of the proof (sketch). The completeness property of (P', V') immediately follows from the analogue property 
of (P, V). 

To see that (P', V') satisfies the concurrent zero-knowledge property, we construct a simulator S for any prob- 
abilistic polynomial time V*. Let S = M. = [M.p,M.v] (the latter algorithms are guaranteed by the assumed 
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simulatability of A's view property of protocol (P, V)). Then S acts as following: A4y does nothing; whenever 
V'* sends a arbitrary public key pk to Mp, Mp starts a new session under pk as it interacts with the man-in-the- 
middle adversary A (here, M. p treats F'* as .4); at the end of simulation, S outputs the transcript of all interactions. 
This simulator works because in the (unauthenticated) BPK model, A actually delivers an arbitrary public key to the 
prover before each session (again, note that A can invoke different provers in every left session, so prover's memory 
of the public file does not keep A from delivering an arbitrary public key to a prover before each session) in the 
left interactions, and thus we can view the interactions between V'* with several honest provers (in the protocol 
(P', V')) as the left interactions in which V'* plays the man-in-the-middle adversary interacting with several honest 
provers and verifiers with respect to protocol (P, V) (indeed V'* does not interacts with V). 

The protocol (P', V) also enjoys the extraction property (and therefore the concurrent non-malleability prop- 
erty). We can construct an extractor E' for the man-in-the-middle adversary A' with respect to (P', V') by modify- 
ing the extractor E (this guaranteed by the extraction property of (P, V)) for the adversary A with respect to (P, V) 
in this way: instead of generating a public file (consisting of a number of public keys) and feeding this file to A 
first (this can be seen to be an implicit requirement for E or otherwise the extraction property would not hold for 
(P, V)), E' stores this file itself. Whenever A' want to interact with V/, E' first sends the public key in the i-th entry 
of the public file, and then acts just identically to E. We can claim that if E' does not work, so E doesn't, because 
by modifying A!, we can easily construct an adversary A which will break the extraction property of (P, V). 
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